31 January 2015

Air-gapped computers are no longer secure

January 26, 2015

To insure security, the thought was to pull the computer off of the network. That is not always the case according to three Georgia Tech researchers who exploit side-channel signals. 

Image: Georgia Tech Ever since Edward Snowden released documents outlining government overwatch of the internet, security pundits have insisted the only way to ensure privacy, anonymity, and security when using computers is to unplug them (air-gap) from any kind of network infrastructure, especially the internet.

Well, Robert Callan, Alenka Zajic, and Milos Prvulovic, researchers at Georgia Institute of Technology, beg to differ. The team explains in this paper how keystrokes can be captured from a computer that is disconnected network-wise by receiving side-channel signals from the computer.

Side channel signals?

Side channels are something I have written about, but this technology is different. I contacted Alenka Zajic, assistant professor of electromagnetics, and asked about the difference. Zajic explains there are many types of side channels: acoustic, power, electromagnetic, and cache (what I wrote about). "Prvulovic and I are working on ElectroMagnetic (EM) side-channels," explains Zajic. "The reason for studying EM and power side-channels is the fact that zeros and ones have to have different voltage levels." 

By attaching a probe to the right chip pin out, points out Zajic, the different voltage levels can be compiled and converted to useful information -- zeros and ones. Even, more interesting to the researchers: the voltage fluctuations create EM radiation that can be captured and processed some distance from the computer.
How side-channel signals are captured

According to Zajic, there is significant prior research on side-channel signals. However, it is difficult to convince people this is a real problem. Reason being: this attack is difficult to pull off:

● It is problematic to distinguish usable information from noise.

● The signals are weak (order of zepto-Jules).

Zajic tried to impress upon me just what that meant. One must realize computers multi-task operations, meaning much of the radiation emanating from the EM source being monitored is of no interest to the Georgia Tech researchers. They had to figure out how to separate useful information from the noise. "In our process of figuring out why EM side-channels were happening," mentions, Zajic. "We found a relationship between software activity and EM emanations, such that we can control what is transmitted."

Regarding weak signals, Zajic says the team developed additional code to enhance weak RF signals to where the team's receiving antenna could be up to six meters away.
SAVAT

Signal Available to ATtacker (SAVAT) is the group's code name for the technology that overcomes the obstacles of multiple weak signals.

"To overcome these problems, our measurement methodology proposes directly analyzing the signal created by the execution of code containing both A and B instructions," explains the teams research paper. "This code is carefully constructed so that any signal due to differences between the A and B instructions is localized in frequency."

The image at the beginning of the article and the slide to the right provide an idea of how the program 

Image: Georgia Tech separates the different voltage levels (A and B), compiles the data, and displays each keystroke as single line (left pop-up window). Zajic suggests watching these YouTube videos for a better sense of what can be received and the how far away the receiving equipment can be from the victim's computer.

Already weaponized

I asked Zajic if she knew of any cases where this technology has been used by bad actors. That, she said, we would not know about. However, security researcher Mordechai Guri with guidance from Professor Yuval Elovici from the cyber security labs at Ben-Gurion University in Israel have developed "AirHopper." "A breakthrough method for leaking data from an isolated computer to a mobile phone without the presence of a network," mentioned this Ben-Gurion University press release.

This video depicts how AirHopper works. The Ben-Gurion researchers can capture EM radiation from an air-gapped computer using a mobile phone. The mobile phone then sends the captured data to a remote server where the attackers can analyze the data. The press release explains the significance: "The common policy in secure organizations is to leave your mobile phone in some locker when you enter the facility and then pick it up when you go out. We at the cyber security labs challenged this assumption and found a way to leak data from a computer inside the organization to a remote mobile phone without using Wi-Fi or Bluetooth."
Reason for the research

As to why the Georgia Tech team pursued this research. "Overall, we confirm that our new metric and methodology can help discover the most vulnerable aspects of a processor architecture or a program," wrote Zajic. "Thus inform decision-making about how to best manage the overall side-channel vulnerability of a processor, a program, or a system."

The Georgia Tech research has been supported, in part, by the National Science Foundation and the Air Force Office of Scientific Research.

No comments: